Opinion
Contract data presents a unique GDPR challenge

With enforcement of the European Union’s General Data Protection Regulation on the horizon, compliance with the new rules of engagement has become a critical driver of business priorities.

The GDPR, which replaces the previous data-security regime with stricter obligations on data controllers and processors, applies a comprehensive set of mandates addressing the processing and management of personally identifiable information (PII).

Many organizations simply don’t know where to start when it comes to the GDPR directive. A recent survey by SAS reveals that less than half of respondents have a structured plan in place for compliance, while 58 percent believe their organization is not adequately aware of the risks of noncompliance.

The implications are startling given that certain violations, especially those seen as important breaches of private data, result in levies of up to 20 million euros or 4 percent of global annual turnover for the preceding financial year, whichever is the greater. The cost of noncompliance is high, however it is also an opportunity to right-fit an intelligent automated approach to data governance that will result in a more agile, competitive organization.

Extraction and analysis of data within contracts plays a very important role in compliance with the new EU rules, as organizations are tasked with ensuring contracts contain provisions regarding the responsibilities of any suppliers or agents that may be handling data. This includes how and when data will be returned or deleted after processing, and the details of the processing itself such as subject matter, duration, nature, purpose, and types and categories of data.

Another aspect of contract data of relevance to GDPR compliance is language in contracts which describes what constitutes a data breach, and the specific obligations and legal rights in the event one occurs. The definition of a breach is a bit vague under the new EU statutes, but is considered to occur if the breach may “result in a risk for the rights and freedoms of individuals.”

When there is a breach, it is important to understand the entry point, as well as the obligations of all parties for notification. Did it occur through the fault a vendor or supplier? If yes, do contracts indemnify the injured party and provide compensation for losses? Are there proper insurance clauses and coverage that covers for any loss? Ensuring these adequate protections are built into all contracts is crucial.

Notification or other obligations as a result of data breach are also mandated under the GDPR framework. This means that any obligation clauses in any existing contracts are no longer valid. As a result, obligation language should be revised in all contracts to reflect GDPR rules, and to eliminate legal ambiguity which could have been otherwise avoided, or confusion by the parties.

The regulations also allow for individuals to ask if their personal data is being captured and processed, and if it is, the organization must be able to produce copies of the data subject’s personal information in electronic format. Organizations are required to ensure contracts contain provisions regarding the tasks and responsibilities of the data processor, including how and when data will be returned or deleted after processing, and the details of the processing itself.

This presents a challenge as some of this data may come in the form of scanned documentation in an image format. Information that is currently digitized will need to be reviewed, particularly contracts handled by data processors. This can pose a significant challenge to organizations, as contracts of this nature are often spread across the entire contract corpus.

Moreover, converting the images that contain text into searchable documentation by applying OCR technology, and then finding, identifying, and reviewing pertinent vendor contracts is a long and often expensive process.

Getting into compliance with the new GDPR rules will require a data governance policy and framework that specifically addresses the unique challenges of data contained in contracts. For many organizations, particularly those that do not already have systems in place, navigating regulatory requirements, monitoring and staffing will be daunting. Research and advisory firm Gartner estimates that less than 50 percent of all organizations will be in full compliance with GDPR by the end of its first year.

However, adherence to this new EU mandate on data security will also provide companies with the confidence of knowing where all of their contracts are and what they say. Indeed, this is a powerful step toward becoming a truly data-driven organization.